Liz Gannes

Recent Posts by Liz Gannes

LinkedIn Tells Users to Change Passwords, Confirms Breach

Update: LinkedIn confirmed the breach, saying it had isolated the compromise accounts and notified users. It will now “salt” its passwords to make them more secure.

It seems likely that LinkedIn has suffered a breach of millions of user passwords, but the company says it hasn’t been able to confirm that’s the case — even some eight hours after it first came to light.

Shutterstock/Péter Gudella

Following widespread reports today that 6.5 million unique passwords had been published online by a Russian hacker, LinkedIn is now adding its official voice to the chorus of people telling users to change their passwords. While it has so many eyes watching its blog and Twitter account for updates, the company just now told users to choose strong, unique passwords and to change them regularly.

The passwords were originally posted two days ago, but news of their ties to LinkedIn looks to have first come out about eight hours ago in a Norwegian paper.

There are two main indicators that the passwords are from LinkedIn: First, thousands of them contain the word “Link” or “LinkedIn”; second, many people — including security researchers — have tweeted or blogged that they have found their own unique LinkedIn passwords in the batch.

The data dump also included about 1.5 million passwords that similarly indicate they may be from eHarmony.

It is reportedly likely that the list was focused on particularly strong passwords that the hacker wanted help with cracking.

The LinkedIn passwords were guarded only with simple “unsalted” hashing called SHA-1, which security experts say is a weak defense.

News of the likely password breach came after concern yesterday about LinkedIn’s new iPhone app feature that sends calendar information to its servers. That’s a less-serious concern, as the opt-in feature is explicitly about matching calendar items with LinkedIn profile data. However, LinkedIn made some modifications today to address user concerns.


Latest Video

View all videos »

Search »

I think the NSA has a job to do and we need the NSA. But as (physicist) Robert Oppenheimer said, “When you see something that is technically sweet, you go ahead and do it and argue about what to do about it only after you’ve had your technical success. That is the way it was with the atomic bomb.”

— Phil Zimmerman, PGP inventor and Silent Circle co-founder, in an interview with Om Malik